Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Login to unsubscribe is against Federal Law
310 points by bound008 on Sept 9, 2012 | hide | past | favorite | 100 comments
This is a non-friendly reminder to all startups and marketing people. If you are sending me an email and it does not have an unsubscribe link that meets the following rule (as of 2008 FTC ruling on CAN-SPAM act of 2003) then you are breaking the law:

to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single page on an Internet website

source: http://www.ftc.gov/os/2008/05/R411008frn.pdf

Note: if you are not telling me about a financial transaction we made, our email is not transactional and STILL must follow that ruling.

I have a simple rule for email that I don't want. If there is a way to easily opt-out (clicking a link, replying with "unsubscribe", or (in rare cases) filling out my email address on a form) I will do that. I should also set a rule for that sender saying "opted-out" so I can know if they aren't respecting that. If I can't do any of those things, I mark it as spam and move on. I don't care about the negative impact to your future emails by getting spam reports in Gmail. It doesn't concern me. Let me unsubscribe easily and legally.

Gmail actually detects when you click spam and there's an unsubscribe method available, and will attempt to unsubscribe for you[1].

[1] http://gmailblog.blogspot.co.uk/2009/07/unsubscribing-made-e...

Not exactly. It does, but only if the appropriate headers are set (and they're usually not).

> For those of you senders who are interested in this feature, the most basic requirements are including a standard "List-Unsubscribe" header in your email with a "mailto" URL

Do they support HTTP URLs in the List-Unsubscribe header yet? Last time I checked, the mailto URL was the only one they supported, despite the fact that RFC 2369 clearly includes an HTTP option. It would be so much easier if website developers could simply reuse their existing unsubscribe link, instead of having to monitor a special e-mail account. And yet nobody seems to support the HTTP URL option.

Case in point HN own launched geeklist, impossible to unsubscribe and GMail spam still somehows ignores my repeated clicks.

"I have a simple rule for email that I don't want."

Me too. I use procmail to send it to /dev/null. I've done this for the last 12 years.

12 years? /dev/null must be pretty full at this point :)

That's why you set up rolling backups for /dev/null.

The problem is that restores of these backups literally take forever.

To product designers: In practice, you should really avoid using the "sending a reply email message" part. Especially these days when people have multiple email addresses, it can very quickly break down.

This happens often to me:

* Get email that I'd like to unsubscribe to

* Look for unsub info -- directed to "reply to this email" or, almost as bad, "enter your email address"

* Follow instructions

* Receive notice saying "Sorry, the email you entered [sent from] is not in our database"

Well thanks. We've gotten nowhere.

So the right way to design this should be a simple unsubscribe link w/ a unique token that executes the request upon clicking.

At worst, you can do what Constant Contact does and require the email address to be entered, but still provide a hint (i.e. "a....c@gmail.com"). This is still somewhat annoying, but I understand why they do it -- it likely reduces net unsubs since there's a second step involved. Pushing it, but thinking as a business owner as well, I get it.

In gmail: click the down arrow thingy, then "Show Original Email". Look for the line that says "Delivered-To: XXX@XXX.COM", and that the email it was delivered to.

If you have an email A forwarding to B, on B there will be a "Delivered-To: B", I think. I never got to understand where on the email source I can find if it was to A or B.

I agree with your point about unsubscribe links, but I don't see how it's not immediately obvious which of your multiple E-Mail addresses you need to unsubscribe with since it's going to be the one the mail was sent to.

For those with vanity URLs and GMail - the trick I use to manage unsubscribes better is to enable 'catch-all address' and registering for new accounts by their URL and TLD, e.g. news_ycombinator_com@URL.com, or kennethcole_com@URL.com, etc.

Two benefits - 1) easier to remember my login per site and 2) if I start getting spammed as a result of my info being shared with third-parties, I can attribute the original offender to the e-mail address.

Also a good way to get vast amounts of dictionary attack spam. One of the mail domains I host was accepting mail to all addresses for some years, and this seems to have attracted even more spam: the volume of junk it gets is disproportionately huge compared to the other similar domains.

My mail server allows -- as an alternative to + so my users can work around braindead address regexes.

You also get few hundred "new viagra price" in your spam folder sent to HjvhBYgVqJ@your.domain. You'll never find kennethcole_com@your.domain in that mess. Even worse is that you get bounced spam emails sent to some@guy.com with from header sent to HjvhBYgVqJ@your.domain and spam filter doesn't see them as spam.

Also, assuming the site isn't brain-dead and invalidating the address, you can use email+site@gmail.com with any gmail or google apps address.

That + is frequently a cause of contention though, so I use a . (which was done via config when I ran my own mail server days gone by) and also have a catchall on google apps.

If I were selling my database to spammers I would process my entire list to remove everything between the plus and the at sign.

Gmail accepts multiple forms of email addresses for a single account. first.last@gmail.com is identical to firstlast@gmail.com. I often get subscribed to email lists I don't want using a variant of Gmail address that I never use. Also, plenty of people using forwarding addresses; it may not be clear which address was the target.

What you're saying is odd, because I own a first.last@gmail.com email address and I know the person that owns the equivalent firstlast@gmail.com email address.

Also, the email address to which the message was sent appears clearly in the "To:" header.

This is not Gmail's designed or advertised behavior.


Either you or your friend is misspelling their address (more common than you might think, I get opt-in mailing-list mail for myaddress@gmail.com, intended for myaddress@ymail.com), or you've encountered a bug.

You can put periods inside the username part of a gmail address and it still gets through. I'm not sure how what you're saying could be true? Maybe it wasn't always this way.

funny. Because if you own the address halfarsed@gmail.com, I thought you also own half.arsed@gmail.com.

The dots are for you to play around with, but the mail all goes to one account. Or, at least, that's how it works with my account.

Early first.last@gmail accounts had firstlast@gmail reserved for them. Google stopped doing that a few years after launch.

Are you certain? Im under the impression periods in email addresses, anywhere, do not affect delivery


Periods in gmail addresses to not affect delivery. other mail servers may behave differently.

I had no idea they stopped doing that! That seems a pretty serious change of model, I'm glad I know it now.

They didn't stop.

I thought it was the other way around: mail to firstlast@gmail.com will be delivered to first.last@gmail.com unless firstlast@gmail.com was registered early on.

Not always.

Google's own google-content-api-for-shopping@googlegroups.com mailing list has this as the "To:" field:


And at the bottom of the message:

To unsubscribe from this group, send an empty message.

I had to ctrl-u and check the "Delivered-To:" and "X-Forwarded-For:" headers before I could unsubscribe.

(I'd tried to unsubscribe previously but the subscribed email account forwards to my main account so replying with an empty message didn't work. This thread prompted me to dig a little deeper and finally get one less piece of email per day - thanks HN!)

Exactly, even if email is forwarded, the To: should still be intact.


Delivered-to is still going to be valid. You'll have to be able to read all email headers, though.

Sending a reply email message can still work just fine. Assuming they include the original message in their reply, you just need to embed an ID in the original message, and look them up through that.

in which case you've invested the effort in making the stateful one-time token for unsubscription (is that a word?) - it's EASIER to enact that via a web link than parsing response emails

It's only easier if the recipient is web browsing, and wants to risk getting cookies and malware from a known-malicious entity...

if it's a known malicious entity I don't think I'd want to confirm that my email address is 'live' either way ...

the majority use case here is that they're not malicious, merely spammy with good intentions.

In the last few days, I have been imagining an ethics pledge for start-ups.

I think start-up culture tends to be a bit unethical - we favor expedience and results over rules and regulations, and that's generally correct, but also leads us into murky territory.

The most important guideline might be this - build a company where you'd want to have any of the jobs, and where you'd want to be a customer. But specifically:

1) never send someone an email without explicit opt-in (make them check a box, don't start spamming just because they registered).

2) make it easy for a user to delete themselves from your database, entirely

3) make it easy for a user to port data elsewhere

4) don't make up fake email personages, or otherwise overtly lie to your customers

5) don't use misleading numbers for marketing or fundraising

6) give employees warning and/or severance when you plan to fire them

7) don't discriminate based on gender or sexual preference, even though it may be legal for small companies to do so in your locality

8) if you store financial or sensitive data, make security a priority

I appreciate the sentiment, but the trouble with these sorts of black-and-white claims is that they aren't always realistic.

For example, if I've been taking money from a customer, then I am required to keep appropriate records of that, for example for tax purposes. I must not completely delete that user from my database, no matter how much they ask me to or how willing I would be to do so absent the legal/regulatory requirements that I have to meet.

Having said that, I think serious ethical problems start to creep in if we allow genuine obligations like that one to start getting blurred. After all, if I have to keep some personal data on file because of my tax obligations, there's no harm in keeping the rest as well, right? No-one will ever know unless we get hacked, and we're 100% confident in our security so that's never going to happen. Similarly, if users are signing up using an e-mail address as account ID and I send the required legalese documents to them at that address when they sign up, I might as well send them "news" every few days as well since they obviously don't mind hearing from me. And hey, I've got a cookie there to handle someone logging in, so no harm in having another one for analytics, and if we're going to do that, we might as well let advertisers use tracking cookies as well because no-one cares about privacy any more and they're all on Facebook anyway.

I suppose the trouble is that all of those things are probably already illegal, at least in my jurisdiction, and any start-up willing to do them is probably just as willing to sign up to any friendly-sounding "pledge" and then completely ignore it. Put another way, I'd be happy for any business I run to commit to a realistic pledge along the lines you suggested, but then we wouldn't be doing the sorts of shady thing you're trying to highlight anyway, so I'm not sure anyone gains anything from it.

>> 7) don't discriminate based on gender or sexual preference, even though it may be legal to do so in your locality

do you feel like this is a big problem in the startup world?

Certainly... if not in who gets hired, then at least in what hires get paid.

Would you care to provide some evidence for this claim?

For what claim? Unless you're a WASP, you know that discrimination still exists. I don't see why startups would be automatically immune to this until they have explicit policies in place ensuring proper equal treatment.

I was unaware that Catholics get paid less than Protestants in the startup world.

More on point, our cultural norms are a little funky. I don't feel really that their should be any degree at a university where there are 20x the number of male students than female students. However, in the computer science world, this is probably the case. This isn't from direct discrimination, but as I said, from cultural standards. Perhaps we should try to be more welcoming to women in the technology field in general.

Parent implied that female startup hires get paid less than their male counterparts. This is not something that can be proved "a priori", regardless of the presence of discrimination (or "WASPS") in the world.

For the US, I thought the converse was directly provable with empirical data. Don't you have a far sronger argument than you are using?

One should do so irrespective of ethical imperatives. Failure to recognise and correct for your inherent biases (and we all have them; distrust anyone claiming otherwise) means missing out on segments of the talent pool, and so more fool you.

I am quite critical on something like this. In fact I would even expect startups to break quite a few of these suggestions you make.

I personally think that startups face enough challenges already and anything that goes beyond legal limitations and restrictions is just reducing the chances for startups to succeed. Startups are there to break the rules, be disruptive, and should get some slack to "fake it until they make it".

Are you seriously suggesting that it's OK to spam, not bother with proper security or privacy controls, or treat your employees badly, just because you're running a start-up?

Most of these things already come under "legal limitations and restrictions", and if a start-up can't disrupt a market or create a viable competing offer without breaking those rules, then perhaps it deserves to fail.

European law:

    When the email address is obtained in the context
    of the sale of a product or service, *the natural
    or legal person may use the email for direct
    marketing of its own similar products or services
    provided that customers clearly and distinctly are
    given the opportunity to object, free of charge and
    in an easy manner*, to such use of electronic contact
    details when they are collected and on the occasion
    of each message in case the customer has not
    initially refused such use.

If I wind up on some mailing list and there isn't a very easy way to unsubscribe via link right in the email, I immediately and without guilt mark the mail as spam in my gmail.

I recommend everyone else do the same and if everyone did I think the fear of being put on gmail's global blacklist for spam would be a far more effective deterrent than the laws alone.

This is in fact the intent of Gmail's spam button design. Gmail's definition of spam isn't tailored to Federal law, it's "whatever messages our users are likely to mark as spam"

The CAN-SPAM law makes a clear distinction between “commercial electronic mail message” and “transactional or relationship message”.

In most cases, if an email isn't commercial in nature, it's excluded from the CAN-SPAM requirements. Now, whether or not it annoys your users is another discussion...

One relevant excerpt:

"These requirements do not prohibit transmission of “transactional or relationship” content. Even if a recipient opts out of receiving messages with a commercial primary purpose from a particular sender, that sender may continue to transmit other types of messages. Therefore, recipients who invoke their rights under the opt-out mechanism required by CAN-SPAM will continue to receive valuable “transactional or relationship” messages. This is important because transactional or relationship messages are communications that Congress has determined to be per se valuable to recipients."

This is how linkedin does it. They created an account for me then started blasting me with emails. When I try to unsubscribe I have to login. Almost want to shoot myself every time I see a stupid linkedin email. How can I login to an account I didn't create?

If it's tied to your email account, couldn't you do a password reset?

Try a CAN SPAM lawsuit?

I read Section 316.2(o) – Definition of “Transactional or Relationship Message”. It would appear I'm allowed to tell you about software updates, forgotten passwords and the like without including an opt-out link. These are termed transactional or relationship messages and are excluded from the definition of commercial electronic mail messages.

By that logic, It would seem I'm also allowed to make you login to change the settings by which I notify you of these things. While it would be nice of me to provide such functionality to my site, it does not appear I am not obliged to do so under law.

It's pretty common to require sign in to change email preferences. Not out of malice, but more that if you want to have more than a global unsubscribe, you then have to allow users to see the prefs for a given email address without being logged in. It gets tricky quickly.

I'd love to see a blog post about best practices when you have a few different options for in your email prefs & you want to avoid people having to log in.

When I receive update mails from a company I've bought from, and there was no explicit opt-in checkbox, I usually just mark them as spam and send future mails from that entity to the trash. My box is full enough.

It's not just startups. Why does Google get away with this with their "Name Here wants to chat" invite emails? I have an address that at this point must have received hundreds of these emails, none of which have instructions on how to block them. Partial example: http://cl.ly/image/3y3D0f2r0W0q

I don't know whether this is a separate case under the relevant laws, but you're getting that email because your contact explicitly clicked the "Invite to chat" button in Gmail. Arguably, Google is sending those emails on behalf of your contact.

Speaking of Google, every mailbox I have is subscribed to a dozen Google Groups full of Arabic-language spam. These are mailboxes on my own domains, that don't have Google Groups or Google Account accounts. Anyone can add you to a group and start spamming you through Google, repeated "report this group as spam" reports don't stop new mails from arriving, and the only way to unsubscribe is to create a Google Account with that mailbox then leave the group.

Does that mail get labelled Inbox, or Spam, when it is first delivered?

I guess because they're user initiated and not automated?

Thank you.

Not only illegal, it is downright rude to establish gatekeepers like a login box to avoid getting me off that important newsletter.

Given any mail with this characteristic I will gladly report it as spam in the hope that the next guy won't have to deal with it.

What legal recourse do consumers have against companies that violate this?

LinkedIn and GetGlue both require logins to unsubscribe, so I mark their emails as spam and filter directly to trash. It works, but philosophically it still pisses me off...

This is perhaps crazy, but if you drop a line to their legal department, it may just work.

Really? I get Linkedin spam shit every day for god knows how many years. Every time I delete it or report it as Spam, I still get the stuff the next day. Most annoying website in the world. I even changed my profile to reflect that since I could figure out how to unsubscribe once I finally logged in.


I've been working with a team on a product that we use in this situation. https://leemail.me

You can give a custom email to every website. Then if they spam you or sell you address, you'll know and it's one click to turn them off.

Another nice trick is to change your email at a spammy vendor to a leemail and then turn it off.

I filed a formal complaint to the FTC last year for Beatport doing this after complaining about it to them and essentially being told to fuck off.

Their emails still arrive and get filtered to my trash. They're still in violation with no simple way to unsubscribe.

Somewhat obvious, but the law should be the last port of call for advice. The real plea is to do the right thing by your customers. If they don't want your email then let them escape instantly. It's then more likely they will have a good feeling about your company for any future interactions or reccomendations.

How are we, for example, feeling about Linked In these days?

Excellent point. I'm currently working through a mountain of email from a hideous sounding site called Meet Me that somebody's subscribed to using my Gmail address. Not only can I not unsubscribe from the site, I can't even report it to them on their "identity theft" page using my address because it detects that it's in use by a supposed existing member and bounces me to a login page. My only strategy now seems to be to wait out the period until the subscription auto-expires because the email address hasn't been confirmed. Meet Me can die in a fire.

Gold mine. Under CAN-SPAM, spam is worth $500 per message, if you can identify the sender.

Facebook's 'Daily Credits Report' breaks this rule. I can't find anywhere to unsubscribe from these 2 daily emails! Anyone else suffer this?

I can't tell you how to unsubscribe, but I can give you the link to the FTC to complain about violations of the CAN-SPAM act: https://www.ftccomplaintassistant.gov

I complained about Facebook for requiring me to sign in to unsubscribe from group-emails (which I had already turned off twice).

Thanks for posting this -- I've been getting email from companies that are requiring login to change email settings, but the inconvenience of getting spam is less of an inconvenience than tracking down my password for this random site. I've emailed saying that it was probably against a law, but I didn't know which law specifically.

To verify: the ramification of these rules is that for any service that you do not pay for, if I know your email address, I can disable your service (as the bare minimum security requirement for such would have the service at least add a large random string to the emails it sends you, which would be information you would need to opt out that they are not allowed to require).

(FWIW, I'm all for following laws that already exist, including this one, but frankly this was a stupid law to enact: spam is not a serious problem, and spam from a single specific bothersome recipient--the only kind this law could possibly affect--was never a problem (or at least hasn't been since the invention of the killfile, something that I am pretty sure predates my birth). What needed regulation was real physical mail--the kind that causes nearly infinite paper trash--and yet that seems to largely be ignored.)

This law is a godsend in combating email spam. You must live in a different world if you don't have spam problem.

Look, I get tons of spam: I have had the same email address since 1997 and have never been shy about posting it anywhere and for any purpose with visibility to anyone. However, spam filters actually work well, and to the extent that don't work it doesn't take much time to deal with: spam is very obvious. When spam isn't obvious, I will argue it is actually a malicious phishing attack, and not spam.

Given this, you must realize that >99% of this spam is from random people whom are not actually subject to this law because they aren't at all traceable. If I have heard of the service, then it will be trivial enough to killfile (such as, "reject all messages from this domain; example: *@pcworld.com"), and much easier to do so than even clicking a single link to unsubscribe as you can make that a hotkey in your client.

(Sadly, people believe that they should rely on spam filters for this use case, which is ludicrous as there is no real way to differentiate "I signed up for PCWorld in 1999 and have since decided I no longer care" from "I never signed up for PCWorld, but they decided to start sending me things O hate" from "I like PCWorld and would love to hear about their new articles, so I subscribed" using remotely objective algorithms.)

(Even a human is going to get it wrong half the time, especially of they're as spam-touchy as the people on this thread reporting services I might personally use and like to Google as "spam" when they can and should either killfile the sender or take the extra 30 seconds to unsubscribe; people who do this just damage the effectiveness of spam filters by messing up the training sets with data that isn't truly indicative of the spam we need machine learning to filter.)

In essence, this law spends a bunch of time figuring out how to regulate people who were either never the problem in the first place, or we're the problem only because they decided to hand your email address to a third party they maybe shouldn't have (although the idea that you will combat spam by keeping your email secret is already a losing battle). Meanwhile, the people who cause the >150k spam messages I receieve per year to saurik@saurik.com just get to keep on spamming.

So, when you say spam is not a problem you mean it is not a problem for you. You know how to set filters; you're using machines a lot anyway (and thus the extra bandwidth and storage and processing isn't a burden) etc etc.

I'm gently worried about the spam vs ham problem. Some people must not ever have a false positive.

In theory this law encourages good companies to stay good companies and to not outsource to dodgy spam outfits.

It is weird that in 2012 we're still making up stuff about the best practice for sending email.

Normal people use hosted services like Gmail (Yahoo!, Outlook.com, fastmail.fm, etc.), and are not worrying about bandwidth or setup complexity.

You might claim Gmail is worrying about the bandwidth, but again: this kind of spam is a tiny tiny fraction of the spam problem. These people are already capable of using buttons that say "spam": a killfile is just another single-click button.

Finally, and again: the spam vs. ham problem is mostly complex because people are misdefining spam as "mail I don't want" as opposed to "mail I couldn't possibly have wanted" (and thereby use the spam button to punish people whose policies they dislike, which both mistrains filters and relies on machine learning to solve a straightforward problem that could be exactly solve by rules).

The spam in the latter category must be machine filtered, as this law, nor any other possible reasonable law, doesn't make even a small ding in it, while the remaining spam in the former category can be handled with one-button killfiles.

This law regulates exactly the people and companies who would otherwise have sent out massive amount of spams if not for the existence of the law. The fact that you are seeing spams from random strangers (the hacked accounts) is a testament to how well this law has work in curtailing the spams companies with lots of resources can send out.

The specific laws this admittedly "non-friendly" (which honestly, to me, was already kind of ludicrous and should not engender a positive response: the OP is simply calling out everyone who browses this forum as people he feels need to be reminded to follow laws, a stance that can only be construed as insulting) rant that started this discussion (and that I am thereby responding to) is discussing have absolutely nothing to do with sending large quantities of email: it has to do with specific ways that the user must have available to unsubscribe from continued messages coming from the same source.

This unsubscribe requirement is fundamentally, and frankly quite obviously, not superior to a killlist from the perspective of a normal user for the companies that the law could possibly apply to: it is unnecessary and does not solve a problem we actually have. Your comments about how this stops anyone, anywhere, from sending "massive amounts of spam", therefore, need to be defended, as otherwise they seem off-topic.

I wish the law was this strict for physical mailbox junkmail too. I receive way too many advertising materials in my tiny mailbox. I have to dig through a pile of unrelated advertisements to find maybe one letter addressed to me.


For the most part, since it costs real money to send real mail, many of the people behind it are inclined to honor unsubscribe requests.

Has anyone else noticed an increasing instance of mails that have an unsubscribe link, which takes you to a proper unsubscribe page but when you click on it you get an error.

The joy I suspect of ignorant bug prioritisation - seen by some as no big deal where in fact it means that the organisation is violating both US and European law as well as causing brand damage (either of which would usually make a bug priority 1 in any normal organisation).

Or the result of A/B testing when the new "feature" resulted in a 100% decrease in the number of people who unsubscribed from the newsletter.

That's why I immediately flag the email as spam when I see that - even if I know for a fact I signed up for the emailer.

More people need to do this.

And this is one more reason not to use software which is free.

From customer perspective: If you are using something which is free then they will try to SPAM you as much as it is allowed by law.

From company perspective: If you ran a web service (SaaS or something) and you have "free-loaders" using your service, they will mark as spam all your legitimate emails.

I feel we are like friends who never met. Is there a way to sue or force prosecution of those who violate this rule?

Now if only I can figure out how to evade the spam box with my legitimate unsubscribe link that I generate based off of a uniqueId and append to mydomain/unsubscribe/$code without having to use a relay mail server such as sendgrid of AWS route 53 :\

Off the top of my head, LinkedIn and GetSatisfaction do this.

Quora is (or at least was, recently) annoyingly in violation of this, requiring a login (which is difficult on mobile devices when you use something like 1Password)

Quora's become pretty much filth. I can't read responses without signing up / logging in? That is not what I consider helping the internet.

Why do they ask you to login first before you can unsubscribe?

The answer to that question might be enlightening.

I think there are probably two reasons depending on the company:

1) They see communication preferences as part of your account details and therefore just lump it in with the rest of them behind the username and password. I think where this is the case they're naive or stupid rather than malicious.

2) In some cases (I think relatively rare but they exist, they actively want to make it harder for you to stop the mailings and know every extra click and keystroke does this. In this case I think they're naive and stupid as well as malicious.

To prevent malicious unsubscriptions. Imagine I'm feeling mean, so I go to some services you use and unsubscribe you -- no login required.

This is prevented if unsubscribe links in the emails sent out have tokens specific to the user which are validated in lieu of a login. But that's fancy technology that most senders don't have.

http://www.ls1gto.com breaks this rule.

Does anyone know of a similar law in Canada?

Big deal, sir.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact